From COVID-19 to cybersecurity: A tale of toilet paper and risk
I never thought that I’d be comparing toilet-roll purchasing habits with cybersecurity risk management, but here I am in the midst of the COVID-19 pandemic seeing some interesting parallels. As an industrial automation consultant and subject-matter expert for ISA, I travel the world talking to organizations about managing their cybersecurity risk. Common themes have emerged. I realize that both COVID-19 and industrial cybersecurity discussions provoke similar reactions—and behind both is the psychology of how people interpret and respond to risk. Here’s some examples:
- There are organizations that deny the abundance of data and insist that they are not at risk. These are COVID-19 deniers, watching the reports of the exponential spread of the virus but claiming that there is really nothing to worry about. Scottish author Hunter Davies recently tweeted that “I’m 84. I survived rationing. I’m not scared of the coronavirus,” which would be like an organization claiming: “We’ve been around for 84 years. We survived a hurricane, so we’ll survive a cyberattack.”
- There are organizations that ask for advice from cybersecurity experts, then promptly ignore that advice because it is inconvenient to them. When epidemiologists recommend taking extreme action and shutting down public events, they base this on their specialist knowledge and experience. While there may be initial resistance to such recommendations, it is almost always necessary to follow the guidance of experts. After all, expert comes from the Latin expertus, meaning tested or proved.
- There are organizations that follow others and undertake costly but ultimately ineffective or misguided responses to cybersecurity risk. A typical case is deploying expensive cybersecurity software solutions without establishing good basic cybersecurity hygiene practices. Often the software is purchased because others have done the same, so it must be the right thing to do. But there are more important steps to take. This is the equivalent to the panic buying of toilet paper rolls that we are seeing today. While stocking up on toilet paper might seem like a sensible contingency plan, there are other factors to consider—not least is exposure to the virus in the supermarket itself.
Psychologist Paul Slovic’s review article, “Perception of risk,” published in Science in 1987, gives some insight into why this happens. Slovic’s analysis compared the difference in perception of the risks of nuclear energy versus driving automobiles. He concluded that because there are so many automobile accidents, the risk is knowable. There is also a limited media coverage of automobile accidents, with no speculation of unknown events. Unlike automobile accidents, nuclear energy represents an unknown risk with a relative lack of data. Nuclear accidents get widespread media coverage resulting in speculation about future possible disasters. The result is that the lower risk scenario (nuclear energy) induces more fear than a higher risk activity (driving an automobile).
In the toilet paper versus community spread scenarios, the fear of running out of toilet paper is knowable, whereas there is still much uncertainty about the likelihood of contracting COVID-19, so once again people are failing to accurately measure risk. But the more you know about your risk, the less there is to fear.
—Steve Mustard, ISA subject-matter expert. Visit https://isa.org to find out what ISA does to provide training to properly understand cybersecurity risks and to create experts through its cybersecurity certificate program.
ARC 2020 Conference: IT/OT combine for digitalization
The increasing speed of integration of business, engineering, and manufacturing systems was evident at the 2020 ARC Orlando Forum. Focused on the theme “Driving Digital Transformation in Industry and Cities,” the 3–6 February event boasted more than 800 attendees representing more than 300 companies from 20 countries.
Multiple tracks and sessions comprised over 200 industry presenters and panel participants sharing their insights, experiences, and concerns. Reflecting the increasing integration of information technology (IT) and operational technology (OT) disciplines, this year’s conference had more IT people attending than ever before, and the vendor showcase featured more IT companies than OT. Many of the presentations illustrated that there are big advantages when companies operate in new, collaborative ways across the whole of the enterprise in order to create flexible and synchronized manufacturing. Read this article at Automation.com to find out more, including:
- How successful digitalization requires alignment starting at the top of the organization.
- How traditionally siloed organizations are now working collaboratively across departments, including engineering, IT, OT, purchasing, and manufacturing operations.
- Details of the Dow Corporation digitalization journey as presented by Melanie Kalmar, Dow Corporate VP, chief information officer and chief digital officer, and Peter Holicki, Dow senior vice president of operations for manufacturing and engineering. Holicki and Kalmar described their efforts to create a culture that leveraged what they had in common to build trust, so teams would be willing to try new things together, and even make mistakes.
—Bill Lydon, Automation.com contributing editor
In memoriam: Richard “Rich” Merritt, 1943–2020
Rich Merritt was born at a very young age, on 8 November 1943 in Hackensack, N.J. He was the son of Harold and Florence (Bahr) Merritt, an avid sports car/race car driver and racing fan, and a devoted husband, father, and grandfather. He was also a giant of industrial automation and control technical communications, serving countless publications and clients over his long career, including Automation.com and ISA’s InTech magazine. Alas, Richard “Rich” Jesse Merritt died Saturday, 8 February 2020, at his home in Cedar Rapids. He was 76.
In agreement with his wishes, Merritt was cremated, and no services were held. Then came the coronavirus restrictions, and the family’s planned celebration of life was delayed. So, here is a little about the man who touched so many lives through his spoken and written words.
On his LinkedIn page, Merritt wrote: “Almost all my life has been in automation and process control—including developing automation systems, writing about them as an editor, and marketing them to customers. I know products and technologies, and I know how to write about them in a clear, concise way that gets the attention of magazine editors and their readers.”
“I have always been amazed at the way Rich can call upon his vast industry experience and technical knowledge to write on any subject involving process control and automation,” said Dan Hebert, PE and principal of Controls PR. “He writes like he’s ‘been there, done that’ and his writing is typically crystal clear. He also has a knack for interviewing people, from machine builders to systems integrators to control engineers, and manages to wrest gems of knowledge from them.”
Merritt was a storyteller and a technologist who wrote a lot of automation-related copy over the years. “Rich was one of our most valued writers from 2009 to 2019,” said Hebert, “creating hundreds of beautifully crafted articles, press releases, and whitepapers.”
Merritt was a guy many considered a friend. David Sear, editor for Valve World magazine, said “Rich and I knew each other and developed a friendship without every really becoming acquainted. That may sound strange, but it will probably strike a chord with many who work in the wonderful yet transient world of PR, editing, and journalism.”
Sear said those exchanges would prompt a spate of emails during which he knew he could trust Merritt’s professionality but also got to know a little of his unique nature. “Seeing Rich’s name pop up on my PC always added a little sunshine to the cloudiest of days,” said Sear. “And even in passing, Merritt still managed to make me smile.”
Merritt wrote news, articles, products, and a column for Control magazine in the late 1990s and early aughts. As senior technical editor, he said, “My writing helped take Control from third place to the Number 1 magazine in its field. I won 10 ASBPE writing awards in four years, including Best Column three years in a row, and Best Technical article four times.”
Paul Studebaker, editor in chief of Control magazine and ControlGlobal.com at the time, said Merritt never shied away from taking controversial positions on topics, such as “manufacturing execution systems, or MES, (bad!) to climate change (good!).”
“Rich also made me jealous with extended trips to Hawaii and his excellent motor racing skills,” Studebaker added. “He linked me to videos so I could ride along, and I watched his humble BMW eat Vettes and Vipers.” He said you could always tell you were reading one of Rich’s pieces because, eventually, you’d encounter an “alas” Even today, a search for “alas” on ControlGlobal.com brings up tons of vintage Rich:
- “Alas, I rarely see anyone who actually might know what is going on inside the company . . . .”
- “Alas, most HMI vendors appear to be dragging their feet . . . .”
Alas, Rich Merritt is gone. According to his daughter, Cathi, he planned to write his own obituary but ran out of time. But, she said, there was one line that he was absolutely adamant about including at the start: “I was born at a very young age . . . .”
Rich, you will be missed.
—Renee Bassett, chief editor, Automation.com and InTech
MITRE Framework tracks cyberattacks on industrial control systems
MITRE has released a new tool for industrial control system (ICS) cybersecurity based on its globally accessible, freely available MITRE ATT&CK knowledge base for critical infrastructure. It focuses on the unique threat behaviors leveraged by adversaries targeting ICS environments, and creates a forum for establishing how ICS intrusions are different from enterprise IT intrusions to help ICS operations and security teams better protect their mission-critical systems.
ATT&CK for ICS is a knowledge base for describing the actions an adversary may take while operating within an ICS network. Quint Wysor, senior manager of cybersecurity at Duke Energy, says “the introduction of the new industrial control systems–focused version will enhance the work that industries with critical infrastructure, including the utility sector, have already done to protect their information and infrastructure.”
The knowledge base can play several key roles for defenders, including helping establish a standard language for security practitioners to use as they report incidents. It can help with the development of incident response playbooks, prioritizing defenses as well as finding gaps, reporting threat intelligence, training analysts, and emulating adversaries during exercises. It adds the behavior that adversaries use within ICS environments.
Add your Voice to the Celebration
75 years of setting the standard for automation
The Sep/Oct 2020 issue of InTech will include the 75th Anniversary Commemorative Supplement.
In addition to technology timelines, Automation Innovator Profiles, and predictions for the future, the supplement provides ways for supporters to buy ads, share stories of ISA history, or position their companies as part of the Industrial Automation Innovators Showcase.
Show your support for the organization that supports your people, products, and customers. Email stories, congratulations, and questions to firstname.lastname@example.org.